Threat behavior

Installation

This malware downloads random files from hxxp://d2hrpnfyb3wv3k<dot>cloudfront<dot>net, and then runs it in the infected system.

We have observed that this malware:

Is distributed by or with potentially unwanted applications

Goes with the file name with *amd.exe suffix

Payload

Downloads malware or potentially unwanted application

This threat can download other malware or potentially unwanted application onto your PC.

It triggers a PowerShell instance to download random files from hxxp://d2hrpnfyb3wv3k<dot>cloudfront<dot>net.

Downloaded files are then saved into the Temporary Internet Files folder of your PC's current user. The downloaded files may be other members of Win32/Adload family or other potentially unwanted applications.

Connects to a remote host

We have seen this threat connect to a remote host, including:

hxxp://d2hrpnfyb3wv3k<dot>cloudfront<dot>net

Malware can connect to a remote host to do any of the following:

Check for an Internet connection

Download and run files (including updates or other malware)

Report a new infection to its author

Receive configuration or other data

This malware description was published based on the analysis of file SHA1 D9E57B9B526908CD3723CD6A7FC259A8BCE809CF.